n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.
ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. PoC available, EPSS 13.6%.
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.
Trend Micro Apex Central has a DLL loading vulnerability (LoadLibraryEX) that allows unauthenticated remote attackers to load attacker-controlled DLLs and execute code as SYSTEM. PoC available.
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. [CVSS 9.8 CRITICAL]
JimuReport through 2.1.3 has RCE via user-controlled H2 JDBC URLs. The application passes attacker-supplied JDBC connection strings directly to the H2 driver, which supports directives for arbitrary Java code execution. PoC available.
QloApps hotel management system (through 1.7.0) allows unauthenticated web shell upload through the hotel review feature. Attackers can achieve immediate remote code execution. PoC available.
Print Shop Pro WebDesk 18.34 has SQL injection in the hfInventoryDistFormID parameter of GetUnitPrice. Combined with CVE-2025-61546 (negative quantities), this endpoint has two critical vulnerabilities. PoC available, fixed in 19.69.
Snuffleupagus PHP security module before 0.13.0 can be bypassed when upload validation uses VLD-based scripts without the VLD extension installed. This disables the upload security check entirely, allowing malicious PHP file uploads. PoC available, patch available.
ClipBucket v5 (5.5.2-#187 and below) has blind SQL injection in the channel comment functionality via the obj_id parameter. Unauthenticated attackers can extract the entire database. PoC available.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
online-shopping-system-php 1.0 has SQL injection in review_action.php via the proId parameter. PoC available.
KAYSUS KS-WR3600 router (firmware 1.0.5.9.1) has session validation bypass – if any user is logged in, endpoints accept unauthenticated requests. Attackers piggyback on active sessions to execute privileged actions. PoC available.
RuoYi-Vue-Plus (through 5.5.1) allows arbitrary file read/write through QLExpress expression evaluation in the snailjob workflow node checker. Attackers can use the File class to access any file on the server. PoC available.
OWASP Core Rule Set (CRS) before 4.22.0 and 3.3.8 has a bug in rule 922110 that allows WAF bypass on multipart requests. The rule's capture variables get overwritten when processing multiple parts, allowing SQL injection and other attacks to slip through. PoC available, patch available.
Panda Wireless PWRU0 devices (firmware 2.2.9) expose WAN, LAN, and wireless configuration endpoints without authentication. Remote attackers can modify all network settings. PoC available.
Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The application trusts HTTP headers for authentication without verifying the request came from the reverse proxy. Any attacker can impersonate any user including admins. PoC available, patch available.
enaio document management AppConnector (multiple versions) has SMTP command injection via the /osrest/api/organization/s endpoint. Authenticated attackers can inject arbitrary SMTP commands, potentially sending spam or phishing emails through the organization's mail server. PoC available.
Print Shop Pro WebDesk 18.34 allows purchasing items with negative quantities, creating financial discrepancies. Attackers can generate credits or manipulate pricing through the GetUnitPrice endpoint. PoC available, fixed in 19.69.
FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. [CVSS 8.8 HIGH]
SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. [CVSS 8.8 HIGH]
Llama.cpp server endpoints fail to validate the n_discard parameter from JSON input, allowing negative values that trigger out-of-bounds memory writes when the context buffer fills. This memory corruption vulnerability affects LLM inference operations and can be exploited remotely without authentication to crash the service or achieve code execution; public exploit code exists and no patch is currently available.
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. [CVSS 8.8 HIGH]
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles, affecting applications using the iccDEV library to handle color management data. Public exploit code exists for this vulnerability, and no patches are currently available. An attacker can trigger memory corruption through a crafted ICC profile to achieve arbitrary code execution without user interaction beyond opening the malicious file.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
Salvo is a Rust web backend framework. [CVSS 8.8 HIGH]
Salvo is a Rust web backend framework. [CVSS 8.8 HIGH]
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. [CVSS 6.2 MEDIUM]
Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). [CVSS 8.7 HIGH]
A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. [CVSS 8.1 HIGH]
Arbitrary command execution in Greenshot 1.3.310 and earlier stems from insufficient input validation in filename processing, where unsanitized user-supplied filenames are passed directly to shell commands. An attacker can exploit this through a malicious filename containing shell metacharacters to achieve local code execution with user privileges. Public exploit code exists for this vulnerability; users should upgrade to version 1.3.311 or later.
A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. [CVSS 7.5 HIGH]
A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. [CVSS 7.5 HIGH]
An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script [CVSS 7.5 HIGH]
FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. [CVSS 7.5 HIGH]
An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component [CVSS 7.5 HIGH]
Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cleartext storage of sensitive information (CVSS 7.5).
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. [CVSS 7.5 HIGH]
INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. [CVSS 7.5 HIGH]
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]
Remote code execution in OpenMetadata versions before 1.11.4 through Server-Side Template Injection in FreeMarker email templates allows authenticated administrators to execute arbitrary code on the affected system. Public exploit code exists for this vulnerability, and attackers with admin-level access can leverage unsafe template processing to compromise the metadata platform. A patch is available in version 1.11.4 and should be applied immediately.
Openeclass versions up to 4.2 is affected by unrestricted upload of file with dangerous type (CVSS 7.2).
NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.
Unauthorized access control in Titra versions 0.99.49 and earlier enables authenticated users to view and modify time entries belonging to other users in private projects without proper authorization. Public exploit code exists for this vulnerability, affecting deployments that have not upgraded to version 0.99.50. The flaw allows authenticated attackers to compromise data integrity and confidentiality of other users' tracked time information.
Dir-605L Firmware versions up to 6.02cn02 is affected by missing authentication for critical function (CVSS 6.8).
Print Shop Pro Webdesk versions up to 18.34 is affected by cross-site request forgery (csrf) (CVSS 6.8).
Ax1800 Firmware versions up to 4.2.0 is affected by improper restriction of excessive authentication attempts (CVSS 6.5).
Miniflux's media proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.2.16, allowing authenticated users to craft malicious proxy URLs that force the application to fetch and expose responses from internal network resources including localhost and private IP ranges. An attacker with valid credentials can abuse this to access sensitive internal services and metadata endpoints by embedding specially crafted URLs in feed content. Public exploit code exists for this vulnerability, and no patch is currently available for affected installations.
Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.
Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cross-site scripting (xss) (CVSS 6.1).